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Abstract — We show that the well-known Konig's Min-Max 
Theorem (KMM), a fundamental result in combinatorial matrix 
theory, can be proven in the first order theory LA with induction 
restricted to Sf formulas. This is an improvement over the 
standard textbook proof of KMM which requires Ilf induction, 
and hence does not yield feasible proofs — while our new 
approach does. LA is a weak theory that essentially captures 
the ring properties of matrices; however, equipped with Ef 
induction LA is capable of proving KMM, and a host of other 
combinatorial properties such as Menger's, Hall's and Dilworth's 
Theorems. Therefore, our result formalizes Min-Max type of 
reasoning within a feasible framework. 

I. Introduction 

In this paper we are concerned with the complexity of 
formalizing reasoning about combinatorial matrix theory. We 
are interested in the strength of the bounded arithmetic theories 
necessary in order to prove the fundamental results of this 
field. We show, by introducing new proof techniques, that 
the logical theory LA with induction restricted to bounded 
existential matrix quantification is sufficient to formalize a 
large portion of combinatorial matrix theory. 

Perhaps the most famous theorem in combinatorial matrix 
theory is the Konig's Mini-Max Theorem (KMM) which 
arises naturally in all areas of combinatorial algorithms — 
for example "network flows" with "min-cut max-flow" type 
of reasoning. See (TJ, (2) for the original papers introducing 
KMM, and see Q for recent work related to formalizing 
proof of correctness of the Hungarian algorithm, which is an 
algorithm based on KMM. As far as we know, we give the 
first feasible proof of KMM. 

As KMM is a cornerstone result, it has several counter- 
parts in related areas of mathematics: Menger's Theorem, 
counting disjoint paths; Hall's Theorem, giving necessary and 
sufficient conditions for the existence of a "system of distinct 
representatives" of a collection of sets; Dilworth's Theorem, 
counting the number of disjoint chains in a poset, etc. We 
note that we actually show the equivalence of KMM with a 
restricted version of Menger's Theorem. 

We show that KMM can be proven feasibly (Theorem Q]), 
and we do so with a new proof of KMM that relies on 
introducing a new notion (Definition [3). Furthermore, we 
show that the theorems related to KMM, and listed in the 
above paragraph, can also be proven feasibly; in fact, all these 
theorems are equivalent to KMM, and the equivalence can be 



shown in LA (Theorem |9). We believe that this captures the 
proof complexity of Min-Max reasoning. 

Our results show that Min-Max reasoning can be formalized 
with uniform Extended Frege. It would be very interesting to 
know whether the techniques recently introduced by [4 ] could 
bring the complexity further down to quasi-polynomial Frege. 

II. Background 

KMM states the following: Let A be a matrix of size nxm 
with entries in {0, 1}, what we sometimes call a 0-1 matrix. 
A line of A is an entire row or column of A; given an entry 
Aij of A (when giving LA formulas we shall denote such an 
entry with A(i,j)), we say that a line covers that entry if this 
line is either row i or column j. Then, the minimal number of 
lines in A that cover all of the Is in A is equal to the maximal 
number of Is in A with no two of the Is on the same line. 
Note that KMM is stated for nxm matrices, but for simplicity 
we shall state it for n X n (i.e., square) matrices; of course, 
all results given in this paper hold for both. 

See pg. 6] for a classical discussion and proof of KMM 
(and note that the proof relies, implicitly, on a nf type of 
induction). 

We give a feasible proof of KMM in the logical theory 
LA defined in (6). By restricting the induction to be over Ef 
formulas, that is formulas whose prenex form consists of a 
block of bounded existential matrix quantifiers — and no other 
matrix quantifiers — we manage to prove KMM in a fragment 
of LA called 3LA. While the matrices in the statements of the 
theorems have {0,1} entries, we assume that the underlying 
ring is Z, the set of integers. We require the integers as one of 
our fundamental operations will be counting the number of 1 s 
in a 0-1 matrix, i.e., computing HA, the sum of all the entries 
of A. 

The background for LA is given in a one-page Appendix 
at the end of the paper, but the interested reader can read the 
full treatment in J6). We shall leave routine details of proofs 
to the reader, in the interest of space. 

The main contribution of this paper is to show that KMM 
can be proven in the theory 3LA which implies that it can be 
proven feasibly. We mention here an important observation of 
Jefabek from Q pg. 44]: 3LA does not necessarily translate 
into a polytime proof system (e.g., extended Frege) when the 
matrices are over Z. However, if we restrict the quantified 



matrices to be over {0, 1}, which is what we do in our proofs, 
it readily translates into extended Frege. 

We use \A\ < n to abbreviate r(A) < n A c(A) < n, that 
is, the number of rows of A is bounded by n, and the number 
of columns of A is bounded by n. We let (3A < n)a — 
resp. (\A4 < n)a — abbreviate < n A a] — resp. 

(VA)[|/1 < n — > a]. These are bounded matrix quantifiers. 

Note that LA allows for reasoning with arbitrary quantifi- 
cation; however, in LA we only allow induction over formulas 
without matrix quantification. On the other hand, in 3LA 
we allow induction over so called Sf formulas. These are 
formulas, which when presented in prenex form, contain a 
single block of bounded existential matrix quantifiers. The 
set of formulas Ilf is defined similarly, except the block of 
quantifiers is universal. 

In general, Sf is the set of formulas which, when presented 
in prenex form, start with a block of bounded existential matrix 
quantifiers, followed by a block of bounded universal matrix 
quantifiers, with i such alternating blocks. The set Ilf is 
the same, except it starts with a block of universal matrix 
quantifiers. 

The main contribution of our paper can now be stated more 
precisely: following Konig's original proof of KMM, which 
is also the standard presentation of the proof in the literature 
(see the seminal work in the field j5] pg. 6]) one can construct 
a proof with nf induction, which does not yield translations 
into extended Frege proofs. On the other hand, we are able 
to give a proof that uses only Sf induction, which do yield 
extended Frege proofs, and thereby a feasible proof of KMM. 
Our insight is that while we are doing induction over the size 
of matrices, we can pre-arrange our matrices in a way that 
lowers the complexity of the induction. This is accomplished 
with the procedure outlined in the Definition [3] — the diagonal 
property for matrices — and the subsequent proof of Claim 5] 

We show how to express the concepts necessary to state 
KMM in the language £la- First, we say that the matrix a 
is a cover of a matrix A with the predicate: 

CoverfA a) := 

(1) 

Vi,j < r(A)(A(i, j) = 1 -> a(l,i) = 1 Va(2, j) = 1) 

We allow some leeway with notation: Vi, j < r(A) is of course 
(Vi < r(A))(\/j < r(A)). The matrix a keeps track of the 
lines that cover A; it does so with two rows: the top row 
keeps track of the horizontal lines, and the bottom row keeps 
track of the vertical line. The condition ensures that any 1 in 
A is covered by some line stipulated in a. 

The next predicate expresses that the matrix f3 is a selection 
of Is of A so that no two of these lines are on the same line. 
Thus, /3 can be seen as a "subset" of a permutation matrix; 
that is, each /3 is obtained from some permutation matrix by 
deleting some (possibly none) of the Is. We say that j3 is a 
selection of A, and it is given with the following formula: 

Select^,/?) :=Wi,j < r{A){{(3{i, j) = 1 -> A(i,j) = 1) 

AVfc < r(A)(/3(i,j) = 1 p(i,k) =0A/3(k,j) = 0)) 

(2) 



We are interested in a minimum cover (as few Is in a 
as possible) and a maximum selection (as many Is in /? as 
possible). The following two predicates express that a is a 
minimum cover and j3 a maximum selection. 

MinCover(A, a) := (3) 
Covcr(A, a) A Va' < c(a) (Cover(A, a') -> Sa' > So) 
MaxSelect^,/?) := (4) 
Select(j4, (3) A V/3' < r(/3)(Select(A, 0') -> S/3' < £/?) 

Clearly MinCovcr and MaxSelect are nf formulas. We 
can now state KMM in the language of £la as follows: 

MinCover(A, a) A MaxSelect (A, 0) ->■ Sa = S/3 (5) 

Note that <|5) is a Sf formula. The reason is that in 
prenex form, the universal matrix quantifiers in MinCover 
and MaxSelect become existential as we pull them out of 
the implication; they are also bounded. 

Let KMM(i, n) be the following Sf formula: it is a 
conjunction of the statement that A is an n x n matrix, which 
we abbreviate informally as |A| = n, and which in £la is 
stated as r(A) = n A c(A) = n, and (0 in prenex form: 

KMM(i, n) := \A\ = n A prenex©. (6) 

Given a matrix A, let Ia and oa denote the minimum 
number of lines necessary to cover all the Is of A, and 
the maximum number of Is no two on the same line, re- 
spectively. (Of course, Konig's theorem says that for all A, 
I A = oa-) In terms of the definitions just given, we have 
that I a = Sa where MinCover(A, a), and oa = S/3 where 
MaxSelect(^,^). 

Finally, the fact that P is a permutation matrix can be stated 
easily with a predicate free of matrix quantification; see, for 
example, J8). 

III. The main result 

With the basic machinery in place, we can now prove the 
main Theorem of the paper. 
Theorem 1: 3LA h KMM. 

What this Theorem says is that KMM can be shown in LA 
with Sf induction, and thus in uniform extended Frege, which 
in turn means feasibly. The rest of this section consists in a 
proof of this theorem. 

Some of the intermediate results can be shown with just 
LA induction (i.e., induction over formulas without matrix 
quantifiers, that is, over formulas in S^ = 11^). We use the 
weaker theory whenever possible. 

Lemma 2: Given a matrix A, and given any permutation 
matrix P, we have 

• LA h Ipa = Iap = I A 

. LA h o P a = o A p = o A 
That is, these four equalities can be proven in LA, i.e., with 
induction restricted to formulas without matrix quantifiers. 

Proof: LA shows that if we reorder the rows or columns 
(or both) of a given matrix A, then the new matrix, call it A', 
where A' = PA or A' = AP, has the same size minimum 



cover and the same size maximum selection. Of course, we 
can reorder both rows and columns by applying the statement 
twice: A' = PA and A" = A'Q = PAQ. 

The first thing that we need to show is that: 

. LA h Cover(^, a) -> Cover(v4', a') 

. LA h Select^, P) -> Select (A', P) 
where A 1 is defined as in the above paragraph, and a' is the 
same as a, except the first row of a is now reordered by 
the same permutation P that multiplied A on the left (and 
the second row of a is reordered if P multiplied A on the 
right). The matrix j3 is even easier to compute, as f$' = P/3 if 
A 1 = PA, and /?' = fiP if A' = AP. It follows from P being 
a permutation matrix that Ea = Ea' and E/3 = E/3': we can 
show by LA induction on the size of matrices that if X' is 
the result of rearranging X (i.e., X' = PXQ, where P, Q are 
permutation matrices), then Y.X = YjX' . We do so first on 
X consisting of a single row, by induction on the length of 
the row. Then we take the single row as the basis case for 
induction over the number of rows of a general X. 

It is clear that given A', the cover a' has been adjusted 
appropriately; same for the selection j3'. We can prove it 
formally in LA by contradiction: suppose some 1 in A' is not 
covered in a'; then the same 1 in A would not be covered by 
a. For the selections, note that reordering rows and/or columns 
we maintain the property of being a selection: we can again 
prove this formally in LA by contradiction: if j3' has two Is 
on the same line, then so would (3. 

The next thing to show is that 

. LAh MinCovcr(A, a) -> MinCovcr(A', a') 
. LA h MaxSelect(A,^) MaxSelect(A', /?') 

and the reasoning that accomplishes this is by contradiction. 
As permuting only reorders the matrices (it does not add or 
take away Is), if the right-hand side does not hold, we would 
get that the left-hand side does not hold by applying the inverse 
of the permutation matrix. 

All these arguments can be easily formalized in LA, and 
we leave the details to the reader. ■ 

The next definition is a key concept in the Ef proof of 
KMM. 

Definition 3: We say that an n x n matrix over {0, 1} has 
the diagonal property if for each diagonal entry of A, 
either A u = l, or (Vj > i)[A r] = A A yi = 0]. 

Claim 4: Given any matrix A, 3LA proves that there exist 
permutation matrices P, Q such that PAQ has the diagonal 
property. 

Proof: We construct P, Q inductively on n = Let the 
i-th layer of A consist of the following entries of A: Aij, for 
j = i, . . . ,n and Aji for j = i + 1, . . . , n. Thus, the first layer 
consists of the first row and column of A, and the n-th layer 
(also the last layer), is just A nn . We transform A by layers, 
i = 1, 2, 3, . . .. At step i, let A 1 be the result of having dealt 
already with the first i—1 layers. If A' u = 1 move to the next 
layer, i + 1. Otherwise, find a 1 in layer i of A'. If there is no 
1 , also move on to the next layer, i + 1 . If there is a 1 , permute 
it from position A^r, j' € {i, . , . ,n} to A' u , or from position 



AjH, j' £ {i + 1, . . . , n}. Note that such a permutation does 
not disturb the work done in the previous layers; that is, if 
A' kk , k < i, was a 1, it continues being a 1, and if it was not 
a 1, then there are no Is in layer k of A', ■ 

It is Claim [4] that allows us to bring down the complexity 
of the proof of KMM from flf to Ef . As we shall see, 
by transforming A into A', so that A' = PAQ where P, Q 
are permutation matrices and A' has the diagonal form, we 
can prove KMM for A' with just Ef induction, and then 
by Lemma |2] we obtain an 3LA proof of KMM for A. All 
of this is made precise in the following Lemma; recall that 
KMM(4,n) is defined in ©. 

Lemma 5: 3LA h VnKMM(A, n). 

We are going to prove Lemma by induction on n, 
breaking it down into Claims [6] and [7] Once we have that 
VnKMM(^4, n), we replace n with \A\, and obtain an 3LA 
proof of (0, and thereby a proof of Theorem Q] 

From Claims [2] and [4] we know that it is sufficient to prove 
Lemma [5] for appropriate PAQ, which ensures the diagonal 
property spelled out in Claim @] Thus, in order to simplify 
notation, we assume that our A is the result of applying the 
permutations; i.e., A has the diagonal property. 

Claim 6: LA h oa < Ia- 

Proof: Given a covering of A consisting of Ia lines, we 
know that every 1 we pick for a maximal selection of Is has 
to be on one of the lines of the covering. We also know that 
we cannot pick more than one 1 from each line. Thus, the 
number of lines in the covering provide an upper bound on 
the size of such selection, giving us oa < Ia- 

We can formalize this argument in LA as follows: let A' 
be a matrix whose rows represent the I a lines of a covering, 
and whose columns represent the oa Is no two on the same 
line. Let A'(i,j) = 1 -^=^> the line labeled with i covers 
the 1 labeled with j. Then, 

o A = c(A') < SA' (*) 
= Si(i:Xpq(l,c(A'),A'(i,q))) (**) 
< E,l = r(A') = l A , 

where the inequality in the line labeled by (*) can be shown 
by induction on the number of columns of a matrix which has 
the condition that each column contains at least one 1 ; and the 
equality labeled with (**) follows from the fact that we can 
add all the entries in a matrix by rows (and A' is such that 
each row contains at most one 1). ■ 

We briefly discuss the implications of Claim [6] for the 
provability of variants of the pigeonhole principle (PHP) in 
LA in Section [VTJ 

As Claim [6] shows, LA is sufficient to prove oa < Ia\ on 
the other hand, we seem to require the stronger theory 3LA 
(which is LA with induction over Ef formulas) in order to 
prove the other direction of the inequality. 

Claim 7: 3LA h oa > Ia- 
Proof: By induction on n = \A\. We assume throughout 
the proof that the matrix has the diagonal property (see 



Definition [3). Let 





a 


R 


A = 


S 




M 



(7) 



where a is the top-left entry, and M the principal sub-matrix 
of A, and R (resp. S) is 1 x (n — 1) (resp. (n — 1) X 1). From 
the diagonal property we know that one of the following two 
cases is true: 
Case 1. a = 1 

Case 2. a, R, S consist entirely of zeros 

In the second case, oa > h\ follows directly from the 
induction hypothesis, om > hi, as oa = om > hi = h\- 
Thus, it is the first case, a = 1, that is interesting. The first 
case, in turn, can be broken up into two subcases: hi =n—l 
and hi < n — 1. 

Subcase (1-a) hi = n - 1 

By induction hypothesis, om > Im = n — 1. We also have 
that o = l, and a is in position (1,1), and hence no matter 
what subset of Is is selected from M, none of them lie on the 
same line as a. Therefore, oa > Om + 1. Since om > n — 1, 
O/i > n, and since we can always cover ^4 with n lines, we 
have that n > I a, and so oa > I a- 

Subcase (1-b) Im < n — 1 

Consider a covering of M of size < n — 1. We break 
this case down into two further sub-subcases, depending on 
whether this particular covering has, or has not, the following 
property: when all lines of the covering (of M) are extended 
to the entire matrix A, they cover all the 1 s in S, or they cover 
all the Is in R. 

For the sake of formalizing the proof in LA, we define the 
notion of "extension" more precisely. 

Definition 8: Let A and M be as in (0, and let Cm be a 
set of lines of M, i.e., Cm consists of rows i\, «2, • • • , i&, and 
columns ji, j2, ■ ■ ■ The extension of Cm to Ca is simply 
the set of rows ii + 1, £2 + 1, • • • , ife + 1, and the set of columns 
ji + 1,32 + 1, ■ ■ • ,jt + 1. 

Sub-subcase (1-b-i) The given covering of M of size Im, 
when extended to the full matrix A, covers all the Is in S, or 
covers all the Is in R (or possibly both). 

By induction hypothesis, om = hi, and so we can pick Im 
Is in M, no two of them on the same line, plus a, to have 
a selection of Is, no two on the same line, of size hi + L 
Thus, oa > hi + 1. On the other hand, there is a covering 
of A consisting of the lines covering M (now extended to all 
of A), plus the first column of A (if it was R that was fully 
covered by the extension), or the first row of A (if it was S 
that was fully covered by the extension). Note that if both 
R, S were fully covered by the extension, just pick arbitrarily 
the first row or the first column of A, as all that matters in 
this case is to cover a = 1. Therefore, hi + 1 > I a, and so 
o A > Ia- 

Sub-subcase (1-b-ii) The given covering of M, of size Im, 
when extended to A, it leaves some 1 in R uncovered, and 
some 1 in S uncovered. 



In that case, oa > om + 2, where we picked a covering 
of M, extended it to A, and picked a selection of Is of size 
om, no two on the same line, plus a 1 in R uncovered by 
the extension, and a 1 in S uncovered by the extension, to 
create a selection of Is in A of size om + 2, no two on the 
same line. On the other hand, hi + 2 lines cover all of A: the 
extension of the cover of M of size hi plus the first row and 
first column of A. Thus om + 2 = Im + 2 > I a- Altogether, 
oa > Ia- 

This ends the proof of Claim [7] ■ 

IV. Induced Algorithm 

The standard KMM Theorem is stated as an implication 
(see (0), and hence it makes no assertions about the actual 
existence of a minimal covering or maximal selection of Is, 
let alone how to compute them. It only says that if they do 
exist, they are equal. However, the proof of Lemma |5] suggests 
an algorithm for computing both. 

Note that computing a minimal cover can be accomplished 
in polytime with the well-known Karp-Hopcroft (KH) algo- 
rithm (see J9)) as follows: First use the KH algorithm to 
compute a "maximal matching," which in this case is simply 
a maximal selection of Is (when we view A — in the natural 
way — as the adjacency matrix of a bipartite graph). In ifTUI . 
the authors show how to convert, in linear time, a maximal 
selection into a minimal cover. 

Certainly the correctness of the algorithms mentioned in 
the above paragraph can be shown in 3LA (as it captures 
polytime reasoning — see Q), and so it follows that we 
can prove in 3LA the existence of a minimal cover and 
maximum selection. Therefore, 3LA can prove something 
stronger than (0. Namely, it can not only show that we 
have a minimal cover and a maximal selection, then they have 
the same size, but rather, that there always exists a minimal 
cover and maximal selection, and the two are of equal size. 

However, instead of doing the heavy lifting necessary to 
formalize the correctness of HK and ifTol in 3LA, we present a 
new simple polytime algorithm for computing minimal covers 
based on the proof of Lemma [5] Note that a similar argument 
would show the existence of a polytime algorithm for maximal 
selection — we leave that to the reader. 

The algorithm works as follows: given a 0-1 matrix A, we 
first put A in the diagonal form (see Definition 0. We now 
work with A which is assumed to be in diagonal form and 
proceed by computing recursively hi, the size of a minimal 
cover of M, where M is the principal submatrix of A. Keeping 
in mind the form of A given by @, we have the following 
cases: 

Case 1. If a = (in which case R, S are also zero, by the 
fact that A has been put in diagonal form), then Ia = hi, and 
proceed to compute the minimal cover C of M; output C, 
the extension of C (see Definition [H}. 

Case 2. If a ^ 0, we first examine R to see if the matrix 
M', consisting of the columns of M minus those columns of 
M which correspond to Is in R, has a cover of size — YIR 
(of course, if Im < Si?, then the answer is "no"). 



If the answer is "yes", compute the minimal cover of M', 
Cm 1 - Then let Cm be the cover of M consisting of the 
lines in Cm 1 properly renamed to account for the deletion 
of columns that transformed M into M' , plus the columns of 
M corresponding the the Is in R. Then, Ca is the result of 
extending Cm and adding the first column of A. 

If the answer is "no", repeat the same with S: let M' be 
the result of subtracting from M the rows corresponding to 
the rows with Is in S. Check whether M' has a cover of size 
Im — If the answer is "yes" then build a cover for A as 
in the i?-case. 

If the answer is "no", then compute any minimal cover for 
M, extend it to A, and add the first row and column of A; 
this results in a cover for A. 

At the end, we apply the permutations P, Q that converted 
A to the diagonal form, to the final C, and output that as the 
minimal cover of the original A. As was mentioned above, a 
similar polytime recursive algorithm can compute a maximal 
selection of Is; we leave that to the reader. 

V. Related theorems 

In this section we are going to prove that the various 
reformulations of KMM, arising in graph theory and partial 
orders, can be proven equivalent to KMM in low complexity 
(LA), and therefore they also have feasible proofs. We state 
this as the following theorem: 

Theorem 9: The theory LA proves the equivalence of 
KMM, Menger's (restricted), Hall's and Dilworth's Theorems. 

The proof of consists of Lemmas Q~TJ and Qj] showing the 
equivalence of KMM and a restricted version of Menger's 
Theorem in Subsection A; Lemmas Q3] and [16] showing the 
equivalence of KMM and Hall's Theorem in Subsection B; 
Lemmas [T7] and [18J showing the equivalence of KMM and 
Dilworth's Theorem in Subsection C. Each subsection starts 
with a description of how to formalize the given Theorem, 
followed by the two Lemmas giving the two directions of the 
equivalence. 

A. Menger's Theorem 

Given a graph G = (V,E), an x, y-path in G is a sequence 
of distinct vertices v\,V2, ■ ■ ■ ,v n such that x = V\ and 
y = v n and for all 1 < i < n, (vi,Vi + i) G E. The vertices 
{i>2, • ■ • ,v n -i} are called internal vertices; we say that two 
x, y-paths are internally disjoint if they do not have internal 
vertices in common. 

Given two distinct vertices x, y G V, we say that S C E 
is an x, y-cut if there is no path from x to y in the graph 
G' = (V,E — S). Let k(x, y) represent the size of the smallest 
x, y-cut, and let X(x, y) represent the size of the largest set of 
pairwise internally disjoint x, y-paths. 

Menger's theorem states that for any graph G = (V, E), if 
x, y G V and (x, y) £ E, then the minimum size of an x, y-cut 
equals the maximum number of pairwise internally disjoint 

y-paths. That is, n(x,y) = X(x,y). For more details on 
Menger's Theorem turn to JTTj, lfT2l . ifPTl . Menger's Theorem 



is of course the familiar Min-Cut Max-Flow Theorem where 
all edges have capacity 1. 

As was noted earlier, we do not show the equivalence 
of KMM with the standard version of Menger's Theorem, 
but rather with a restricted version. Since this restriction is 
important, we give it in a definition. 

Definition 10: Given a graph G = (V, E), we say that a 
pair of vertices x, y G V is restricted if any x, y-path shares 
edges with at most one other x, y-path. 

The intuition behind this definition is that given an x, y- 
restricted pair, there is little "redundancy" in the paths between 
x and y. 

We now show how to state Menger's theorem in £la- We 
start by defining the predicate Path(vl, x, y, a), which 
states that a encodes the internal vertices of a path from x 
to y in A. We define Path by parts; first we state that a has 
at most one 1 in each row and column: 



(V/ <n-2)['EX ij (l,n-2,a(l,j)) 
A T,Xij(n - 2, l,a(i,l)) = 1] 



1 



(8) 



Then we say that if the Z-th node is p and I + 1-th node is q, 
then there is an edge between p and q: 



(yi,P,Q < n - 3) 
(a(l,p) = 1 A a{l + 1, g) = 1) — > A(p, q) = 1 



(9) 



Note that in general different paths are of different lengths; 
this can be dealt with in a number of ways: for example, by 
padding a with repetitions of the last row (so that each a has 
exactly n — 2 rows). We assume that this is what we do, and 
the reader can check that £la can express this easily. 

If i is the first intermediate node then (x,i) G E, and if i 
is the last intermediate node then (i, y) G E: 



a{l,i) = 1 ->■ A(x,i) = 1 

A a(n - 2, i) = 1 ->■ A(i, y) = 1 



(10) 



Putting it all together, the formula expressing Path is 
given by the conjunction of A(x, y) = together with the 
above properties, i.e., 

Path(A x, y, a) := © A ® A (T^ A A(x, y) =0. (11) 

Finally, we state that two paths a, a' are internally disjoint: 

Disjoint(A, x, y, a, a') := 

Path(A, x, y, a) A Path(A, x, y, a') (12) 
A (Vi < n - 2Vj < n - 2)(a(i,j) • a'(i,j) = 0) 

We leave stating that x, y is a restricted pair to the reader. 

We must be able to talk about a collection of paths; the 0-1 
matrix f3 will encode a collection of paths a±, a.2, . ■ . , a\: 



a 2 



/3[A] 



ax 



(13) 



so that (3 is a matrix of size (n — 2) x A(n — 2). Each f3[i] can 
be defined thus: 

P[i] := Xpq (n - 2,n - 2, 0(p, (i - l)(n - 2) + <?)}. 



We are interested in pairwise disjoint collections of paths: 

CollcctDisj(^4, x, y, /3, A) := 

Vi < A Path(A, x, y, /3[i\) A (14) 

(Vi ± j < A) Disjoint^, x, y, p[i),p\j}) 

The following formula expresses X(x, y) for a given ^4; note 
that it is a nf formula: 

MaxDisj(A, x, y, A) := 

(3/3 < (n - 2)A) CollectDisj(A, x, y, /3, A) A (15) 

(Va < n - 2)(Path(A, x, y, a) ->• 3i < A a = /3[i]) 

Likewise, we need to formalize k(x, y)\ we start with a 0-1 
matrix 7 expressing a cut in A: 

Cut(A7) := 

(Vi < n - 2)(Vj < n - 2)( 7 (i, j) = 1 -> j) = 1) 

which says that every edge of 7 is an edge of A, and it defines 
the cut implicitly as the set of edges in A but no in 7. Now, 
the following Ef formula expresses that there is an x, y-cut 
of size k in A: 

CutSizc(v4, x, y, k) := 

37 < (n - 2)Cut(A, 7) A E7 = « A (Va < n - 2) (17) 

-.Path(A P q(n - 2, n - 2, A(p, g) - 7(p, g)), x, y, a), 

and the minimum number of edges in an x, y-cut can be 
expressed with a formula that is a conjunction of a Ef formula 
with a nf formula, yielding therefore a formula in Ef nnf : 

MinCut( J 4,x,y, k) := 



(16) 



CutSize(A, x, y, k) A ^CutSize(^4, x, y, « — 1) 



(18) 



Putting it all together, we can state Menger's theorem in £la 
with a Ef n nf formula as follows: 

Menger(A) := 



MaxDisj(^4, x, y, A) A MinCut(A, x, y, n) -> A = « 



(19) 



(Note that if a formula is in Ef Hll^ , then its negation is still 
in Ef nnf .) 

Let Monger' be the restricted version of Menger's Theorem, 
i.e., one where x, y is a restricted pair, as in Definition [10] We 
can now state the main result of this section. 

Lemma 11: LA U Monger' h KMM. 

Proof: Note that the implication resembles the statement 
of KMM, but the difference is that in KMM the antecedent 
is a conjunction of two Ilf formulas (and hence it is a nf 
formula), whereas in Menger's theorem, the antecedent is a 
Ef n nf formula. 

Suppose that we have MinCover(^4, a) AMaxSelect(A, /3), 
the antecedent of KMM (see [5]). Using Menger's theorem 
(see \\% we want to conclude that Ea = E/3. We do so by 
restating "covers and selections" of A as "cuts and paths" of a 
related matrix A 1 defined as: A' is a 0-1 matrix of size \A\ + 1, 
with entries: 

(A(i,j) for 1 < i,j < |A| 
= < 1 one of {i, j} equals \A\ + 1 

I both of {i,j} equal \A\ + 1 



Note that A' can be stated succinctly as a term of Cj_,a- 

A' :=\ij(r(A) + l,c(A) + l, 

cond(l <i,j < \A\,A(i,j),cond(i = 3 = \A\ + 1,0, 1))) 

The point is that when we view A as representing a bipartite 
graph (with rows representing V\ and columns representing 
V2 and A(i,j) = 1 iff there is an edge e V\ x V 2 ), 

then A' represents a graph where two more vertices are added 
(x = \A\ + 1 and y = \A\ + 1, the first row and column of 
A, resp.) and x is connected to every vertex in V2 and y is 
connected to every vertex in V\, and x, y are not connected to 
any other vertices. 

Also, a maximal selection in A corresponds to a maximal 
matching in the related graph, and a minimal cover in A 
corresponds to a minimal cover in the related graph (recall 
that a cover in a graph is a subset of vertices so that every 
edge has at least one end-point in this subset). Furthermore, 
a maximal matching in the graph related to A corresponds 
to a maximal subset of internally disjoint paths in the graph 
related to A'; similarly, a minimal cover in the graph related 
to A corresponds to a minimal cut in the graph related to A', 

Finally, let: 

A' 
(A') T 



A" 



that is, A" is the adjacency matrix of the graph related to A' 
viewed as a normal graph (i.e., not bipartite). 
Claim 12: LA proves the following: 
. MinCover(A, a) «-» MinCut(A", x, y, Ea) 
. MaxSelect(A, 0) <-> MaxDisj(A", x, y, E/3) 
The proof of Claim [T2] does not require induction and we 
leave it to the reader. By Menger's Theorem it follows directly 
that Ecu = E/3 which also finishes the proof of KMM. 

It is easy to check that x, y is a restricted pair (Definition [TUt 
in the graph related to A". ■ 
Lemma 13: LA U KMM h Menger'. 

Proof: Suppose that we have MaxDisj(A, x, y, A) and 
MinCut(A, x, y, k); these two formulas assert the existence 
of P, a collection of A many pairwise disjoint x,y-paths, and 
7, an x, y-cut of size k. (The constructions of /3 and 7 have 
been shown earlier in this section.) We assume that x, y is a 
restricted pair of vertices, as in Definition [10] 

Each path in /3 must have at least one edge in the cut 7 and 
no edge of 7 can be in more than one path in /3, hence A < k. 
The proof of this is identical to the proof of Claim [6] 

Thus, it remains to show, using KMM, that A > k. To 
this end we proceed as follows: we construct a new matrix 
A', such that each row of A' corresponds to one of the paths 
in p. Note that since the paths in /3 are disjoint, the number 
of rows of A' is polynomial in the size of A; this is a key 
observation — there can be at most linearly many (in the 
number of vertices) disjoint paths in a given graph. On the 
other hand, the columns of A' correspond to the edges in 7, 
again bounded by a polynomial in the size of A, as there are 
at most |j4| 2 edges in the graph. We have A'(i,j) = 1 <^=> 
edge j is in the path i. 



Note that j3 and 7 are built independently; the only assertion 
we make about their relationship is that they are of the same 
size, i.e., A = K. In the next Claim we show how we can 
modify j3 and 7 (using an algorithm provably correct in LA) 
in order to obtain an A' to which we can apply KMM. 

Claim 14: We can modify /3 and 7, with a procedure 
provably correct in LA, so that each row and column of A' 
contains exactly one 1. 

Before we prove Claim [14] we show how we use it to show 
that A > k: if each row and column of A' has exactly one 1, 
then k = o A >, and by KMM, o A < = l A , < r(A') = A. 

We now prove Claim [14] First observe that no matter what 
(3 and 7 we pick, each column of A' has at most one 1, and 
each row of A' has at least one 1 . The reason is that the paths 
in (3 are pairwise disjoint — hence they never share an edge. 
If a row of A' contains no Is, then we have an x, y-path, and 
7 is not an x, y-cut. 

Suppose there is a column without a 1. Then there is an 
edge e e 7 that does not belong to any path in j3; if e were 
unnecessary, we could lower k, and get a contradiction (with 
the minimality of k). Thus, e cuts some x, y-path p not in /?; 
by the maximality of j3, p shares an edge e' with some path 
p' which is in j3. If e' is in the cut 7, then e is not needed — 
contradiction again. So e' is not in 7; exchange e and e' in 
order to obtain a new 7. Here is were we use the restriction 
on the graphs, i.e., we know that e is not shared by any other 
paths, as p shares its edge with p' . We leave showing that each 
row has at most one 1 to the reader. ■ 

B. Hall's Theorem 

Let Si, S2, ■ ■ ■ , S n be n subsets of a given set M. Let D 
be a set of n elements of M, D = {ai, 02, ... , a n }, such that 
di G Si for each i = 1,2, ... ,n. Then D is said to be a system 
of distinct representative (SDR) for the subsets Si, S2, ■ ■ ■ , S„. 

If the subsets Si, S2, ■ • ■ , S n have an SDR, then any k of 
the sets must contain between them at least k elements. The 
converse proposition is the combinatorial theorem of R Hall: 
suppose that for any k = 1, 2, . . . , n, any Si 1 U Si 2 U • • ■ U Si k 
contains at least k elements of M; we call this the union prop- 
erty. Then there exists an SDR for these subsets. (See lfT4l . 
03], |[T6l for more on Hall's theorem.) 

We formalize Hall's theorem in £la with an adjacency 
matrix A such that the rows of A represent the sets Si, and 
the columns of A represent the indices of the elements in M, 
i.e., the columns are labeled with [n] = {1,2, ... ,n}, and 
A(i,j) = 1 <==^ j e St. Let SDR(A) be the following 
Sf formula which states that A has a system of distinct 
representatives: 



SDR(A) := (3P < n)(Vi < n){AP) u = 1 



(20) 



We reserve the letters P, Q for permutation matrices, and 
(3P < n)(j) abbreviates (3P)[Perm(P) A \P\ < n A (f>\ 
(similarly for (VP < n)<fi, but with an implication instead of 
a conjunction), where Perm is a predicate stating that P 
is a permutation matrix (a unique 1 in each row and column). 
See H] for more details about handling permutation matrices. 



The next predicate is a nf formula stating the union 
property: 

UnionProp(yl) := 

VP < nVk < n3Q < n (21) 
[V» < k(X pq (k, 1, (PAQ) pi ) ^ X pq (k, 1, 0))] 

Therefore, we can state Hall's theorem as a formula: 

Hall(A) := UnionProp(yl) -)■ SDR(A) (22) 

Lemma 15: LA U KMM h Hall. 

Proof: Let A be a 0-1 sets/elements incidence matrix of 
size n x n. Assume that we have UnionProp(A); our goal is 
to show in LA, using KMM, that SDR(A) holds. 

Since by Claim |4] every matrix can be put in a diagonal 
form, using the fact that we have UnionProp(A), it follows 
that we can find P,Q < n such that Vfc < n(PAQ) kk = 1. 
Thus we need n lines to cover all the Is, but by KMM there 
exists a selection of n Is no two on the same line, hence, A 
is of term rank n. 

But this means that the maximal selection of Is, no two on 
the same line, constitutes a permutation matrix P (since A is 
n x n, and we have n Is, no two on the same line). Note that 
AP T has all ones on the diagonal, and this in turn implies 
SDR(A). ■ 

Lemma 16: LA U Hall h KMM. 

Proof: Suppose that we have MinCover(A, a) and 
MaxSelect(A, /?); we want to conclude that Ea = S/9 using 
Hall's Theorem. 

As usual, let l A = and o A = E/3, and by Claim [6] we 
already have that LA h o A < l A (see Section [DJ. We now 
show in LA that o A > l A using Hall's Theorem. 

Suppose that the minimum number of lines that cover all the 
Is of A consists of e rows and / columns, so that l A = e + f. 
Both l A and o A are invariant under permutations of the rows 
and the columns of A (Lemma [2J, and so we reorder the rows 
and columns of A so that these e rows and / columns are the 
initial rows and columns of A', 



A' = 



A x A 2 
A 3 A 4 



where Ai is of size ex/. Now, we shall work with the term 
rank of A2 and A3 in order to show that o A > l A . More 
precisely, we will show that the maximum number of Is, no 
two on the same line, in A2 is e, while in A3 it is /. 

Let us consider A2 as an incidence matrix for subsets 
Si, S2, ■ ■ ■ , S e of a universe of size \A\ — f, and A| (which 
is the transpose of A3) as an incidence matrix for subsets 
S[, S' 2 , ■ ■ ■ , Sj of a universe of size |A| — e. It is not difficult 
to prove that UnionProp(A2) and UnionProp(Ag) holds (and 
can be proven in LA; this is left to the reader), which in turn 
implies SDR(A 2 ) and SDR(A 3 ), resp., by Hall's Theorem. 
But the system of distinct representative of A2 (resp. A3) 
implies that o A2 > e (resp. o A t^ = o As > /), and since 
oa > o A2 + oa 3 , this yields that o A > e + f = I a- ■ 



C. Dilworth's Theorem 

Let 7 be a finite partially ordered set or poset (we use a 
"script 7" in order to distinguish it from permutation matrices, 
denoted with P). We say that a, b 6 7 are comparable 
elements if either a < 6 or b < a. A subset C of 7 is a 
chain if any two distinct elements of C are comparable. A 
subset S of CP is an anti-chain (also called an independent set) 
if no two elements of S are comparable. 

We want to partition a poset into chains; a poset with an 
anti-chain of size k cannot be partitioned into fewer than k 
chains, because any two elements of the anti-chain must be 
in a different partition. Dilworth's Theorem states that the 
maximum size of an anti-chain equals the minimum number of 
chains needed to partition 7. (For more on Dilworth's Theorem 
see 03, ED). 

In order to formalize Dilworth's theorem in £la< we 
represent finite posets 7 = (X = {x\, X2, • • ■ , x n }, <) with an 
incidence matrix A = Ay of size \X\ x \X\, which expresses 
the relation < as follows: A(i,j) = 1 <i=^ x^ < xj. For 
more material regarding formalizing posets see [fl9l . 

We let a 1 x n matrix a encode a chain as follows: 

Chain(A,a):=(Vi^i<n) 

[a(i) = a(j) = l^A(i,j) = lVA(j,i) = l\. 

In a similar fashion to (f23T > we define an anti-chain 7; the only 
difference is that the succedent of the implication expresses the 
opposite: A(i, j) — A A(j, i) = 0. 

Recall that using ( fT3l ) we were able to talk about a collection 
of paths; in a similar vain, we can use £la to talk about 
a collection of chains of 7: f3 is an 1 x re ■ n matrix which 
encodes the contents of re many chains. We can then talk about 
a minimal collection of chains, or a maximal size of an anti- 
chain in the usual fashion. Since we have done this already 
for collections of paths, we omit the details in the interest of 
space. The reader is encouraged to fill in the details. 

We can state Dilworth's Theorem as follows: 

Dilworth(A) := (3/3 < \A\ 2 )(3j < \A\) 

MinChain(A, f3, re) A MaxAntiCriain(A, 7, A) — > A = re 

(24) 

where the predicate MinChain(A, j3, re) asserts that j3 is a 
collection of re many chains that partition the poset, and the 
predicate MaxAntiChain(yl, 7, A) asserts that 7 is an anti- 
chain consisting of A elements. Again, the details of the £la 
definitions can be provided by the reader, in light of the 
definitions given in Section IV-AI 

Lemma 17: LA U KMM h Dilworth 

Proof: Suppose that we have MinChain(A, /?, re) and 
MaxAntiChain(A, 7, A); we want to use LA reasoning and 
KMM in order to show that A = re. 

As usual we define a matrix A 1 whose rows are labeled 
by the chains in j3, and whose columns are labeled by the 
elements of the poset. As there cannot be more chains than 
elements in the poset, it follows that the number of rows 
of A' is bounded by \A\ (while the number of columns is 



exactly \A\). The proof of this is similar to the proof of 
Claim 

We have that A'(i,j) = 1 chain i contains element j. 

Clearly each column contains at least one 1, as f3 is a partition 
of the poset. On the other hand, rows may contain more than 
one 1, as in general chains may have more than one element. 

Note that a maximal selection of Is, no two of them on the 
same line, corresponds naturally to a maximal anti-chain; such 
a selection picks one 1 from each line, and so its size is the 
number of rows of A' . By KMM, it follows that 

A = oa' = I a' = r(A') = re, 

where r(A') is the number of rows of A' . ■ 

Lemma 18: LA U Dilworth h KMM 

Proof: It is in fact easier to show that that LA U 
Dilworth h Hall, and since by Lemma [16] we have that 
LA U Hall h KMM, we will be done. 

In order to prove Hall using Dilworth and LA reasoning, we 
assume that we have A, a 0-1 sets/elements incidence matrix 
of size n x 71. Assume that we have UnionProp(A); our goal 
is to show in LA, using Dilworth, that SDR(A) holds. 

Let Si,S2,---,S n be subsets of {xi,X2, ...,x n } where 
n = \A\. We define a partial order 7 based on A; the universe 
of 7 is X = {Si, S%, . . . , S n } U {xi, . . . , x n }. The relation 
<y is defined as follows: Xi <y Sj <J=> A(i,j) = 1. 

Claim 19: The maximum size of an anti-chain in 7 is n. 
Proof: The {xi, . . . ,x n } form an anti-chain of length n, 
and we cannot add any of the Sj, as some Xi € Sj, and hence 
Xi <y Sj. ■ 

By Dilworth we can partition 7 into n chains, where each 
of the chains has two elements {x^, Sj}, giving us the set of 
distinct representatives, and hence SDR(A). ■ 

VI. Future work 

The main open question is the following: is KMM equiv- 
alent (in LA) to the general version of Menger's Theorem? 
That is, can we lift the restriction that x, y is a restricted pair of 
vertices (Definition ITOb. There are many proofs of the general 
version of Menger's theorem — for example ifPJl is clearly 
formalizable in 3LA. But it would be very interesting to know 
whether the general version of Menger's Theorem is equivalent 
to KMM in low complexity. 

Now that we know that 3LA h KMM (TheoremQ} and that 
KMM is equivalent to a host of other combinatorial theorems 
— and this equivalence can be shown in the weak theory LA 
(Theorem |9]l — it would be interesting to know whether it is 
also the case that: 

. LA U KMM h PHP 

. LA U PHP h KMM 
that is, whether LA can prove the equivalence of KMM and 
the pigeonhole principle. We conjecture that the first assertion 
is true, and that it should not be too difficult to show it. The 
second assertion is probably not true. Note that in the proof 
of Claim [6] we implicitly show a certain weaker kind of the 
PHP in LA: we showed that if we have a set of n items 
{ii, i2, • • • , in} and a second set of m items {ji,j2 5 ■■■,jm}< 



and we can match each i p with some j q , and this matching 
is both definable in LA and its injectivity is provable in LA, 
then 11 < m. We did this by defining an incidence matrix A 
such that A(p,q) = 1 •<=>• i p \-t j q . If this mapping is 
injective, then each column of A has at most one 1; thus: 

n<zZA = Sj(col % of A) < Ejl < m. 

Also, we would like to know whether LAUKMM can prove 
hard matrix identities, such as AB = I — > BA = I. Of course, 
we already know from |4| that (non-uniform) NC 2 Frege is 
sufficient to prove AB = I — > BA = I. On the other hand, 
is it possible that LA together with AB = I — > BA = I can 
prove KMM? This would imply that AB = I -> BA = I is 
"complete" for combinatorial matrix algebra, in the sense that 
all of combinatorial matrix algebra follows from this principle 
with proofs of low complexity. 

Furthermore, given two 0-1 matrices A,B, what can we 
say about Iab and oabP- From Claim [2] we know that if 
B is a permutation matrix, then Iab = Ia and oab = oa 
(and similarly, if A is a permutation matrix); but what can 
be said in general? Of course, the understanding here is that 
multiplication is over the field {0, 1}. 

VII. Appendix — LA 

The logical theory LA is strong enough to prove all the 
ring properties of matrices such as A(BC) = (AB)C and 
A + B = B + A, but weak enough so that the theorems of 
LA translate into propositional tautologies with short Frege 
proofs. LA has three sorts of object: indices (i.e., natural num- 
bers), ring elements, and matrices, where the corresponding 
variables are denoted i, j, k, . . .; a, b,c, . . .; and A, B,C, . . ., 
respectively. The semantic assumes that objects of type ring 
are from a fixed but arbitrary ring (for the purpose of this 
paper we are only interested in the ring Z), and objects of 
type matrix have entries from that ring. 

Terms and formulas are built from the following function 
and predicate symbols, which together comprise the language 
£la: 

Oindex, -Undex, ~t~index, *index, index? div, reiTl, 
Oring, Iring; ~"r~ring, *ring, ring j > 5 ^) (25) 
^index, — index? — ring: — matrix; COndj n dexi ^Olldring 

The intended meaning should be clear, except in the case of 
—index, cut-off subtraction, defined as i — j = if i < j. For a 
matrix A: r(A), c(A) are the numbers of rows and columns 
in A, e(A,i,j) is the ring element Aij (where Ay = if 
i = or j = or i > r(A) or j > c(A)), S(A) is the sum 
of the elements in A. Also cond(a, t±, £2) is interpreted if a 
then t\ else ti, where a is a formula all of whose atomic 
sub-formulas have the form m < n or m = n, where m, n 
are terms of type index, and t\ , t% are terms either both of 
type index or both of type ring. The subscripts index , ring , and 
matrix are usually omitted, since they ought to be clear from 
the context. 

We use n, m for terms of type index, t, u for terms of type 
ring, and T, U for terms of type matrix. Terms of all three 



types are constructed from variables and the symbols above 
in the usual way, except that terms of type matrix are either 
variables A,B,C, ... or A-terms Xij(m, n, t). Here i and j are 
variables of type index bound by the A operator, intended to 
range over the rows and columns of the matrix. Also m, n 
are terms of type index not containing i,j (representing the 
numbers of rows and columns of the matrix) and t is a term of 
type ring (representing the matrix element in position 

Atomic formulas are of the form m < n,m = n,t = u 
and T = U, where the three occurrences of = formally have 
subscripts index, ring , matrix, respectively. General formulas are 
built from atomic formulas using the propositional connectives 
-1, V, A and quantifiers V, 3. 

A. Axioms and rules of LA 

For each axiom listed below, every legal substitution of 
terms for free variables is an axiom of LA. Note that in a 
A term Xij(m, n,t) the variables i,j are bound. Substitution 
instances must respect the usual rules which prevent free 
variables from being caught by the binding operator Xij. The 
bound variables i, j may be renamed to any new distinct pair 
of variables. 

1 ) Equality Axioms: These are the usual equality axioms, 
generalized to apply to the three-sorted theory LA. Here = can 
be any of the three equality symbols, x, y, z are variables of 
any of the three sorts (as long as the formulas are syntactically 
correct). In A4, the symbol / can be any of the non-constant 
function symbols of LA. However A5 applies only to <, since 
this in the only predicate symbol of LA other than =. 

Al x = x 

A2 x = y — > y = x 

A3 (x~yAy~z)^x = z 

A4 xx = y x , x n = y n -> fx\...x n = fy\...y n 

A5 it = j 1; i 2 = 32, ii<i2^ ji < h 

2) Axioms for indices: These are the axioms that govern 
the behavior of index elements. The index elements are used 
to access the entries of matrices, and so we need to define 
some basic number theoretic operations. 



A6 




A7 


i * (j + 1) = (i * j) + i 


A8 


i+l=j+l^i=j 


A9 


i<i+j 


A10 


i + = i 


All 


i < 3 A j < i 


A12 


i + 'ti + 1) = + 


A13 


[i < j A j < i] — > i = j 


A14 


i * = 


A15 


[i < j A i + k = j] -> j 


A16 


->(i < j) -> 3 - i = 


A17 


[a — > cond(a,i, j) = i] 



3) Axioms for a ring: These are the axioms that govern the 
behavior for ring elements; addition and multiplication, as well 
as additive inverses. We do not need multiplicative inverses. 

A18 0/lAa + = a 



A19 o+(-o) = 

A20 1 * a = a 

All a + b = b + a 

A22 a * b = b * a 

A23 a+ (b + c) = (a + b) + c 

A24 a * (b * c) = (a * b) * c 

A25 a*(b + c)=a*b + a*c 

A26 [a — > cond(a, a, b) = a] A [—tot — > cond(a, a, b) = b] 

4) Axioms for matrices: Axiom A27 states that e(A,i,j) 
is zero when i,j are outside the size of A. Axiom A28 defines 
the behavior of constructed matrices. Axioms A29-A32 define 
the function E recursively by first defining it for row vectors, 
then column vectors (A 1 := \ij(c(A),r(A),Aji)), and then 
in general using the decomposition d26b . Finally, axiom A33 
takes care of empty matrices. 

A27 (i = V r(A) < i V j = V c(A) < j) -> 

-> e(A,i,i) = 
A28 r(Aij'(m, n-,i)) = to A c(\ij(m, n,t)) = n/\ 

[1 < j A i < ro A 1 < j A j < n] -> 

— > e(\ij(m,n,t),i,j) = t 
A29 r(A) =' 1, c(A) = 1 -> E(A) = e(A, 1, 1) 
A30 r(A) = 1 A 1 < c(A) E(A) = 

= E(Aij(l, c(A) - 1, Aij)) + A lc(A) 
A31 c(A) = 1 ->. E(A) = E(i4*) 
A32 1 < r(A) A 1 < c(A) E(A) = 

= e(A, 1, 1) + E(R(A)) + E(S(A)) + E(M(A)) 
A33 r(A) =0V c(A) = EA = 

Where 

R(A) := Aij(l, c(A) - 1, e(A, 1, i + 1)), 

S(A) :=\ij{r(A)-l,l,e(A,i + l,l)}, (26) 

M(A) := \ij(r(A) - 1, c(A) - 1, e(A i + + 1)). 

5) Rules for LA: In addition to all the axioms just pre- 
sented, LA has two rules: matrix equality and induction. 

Matrix equality rule 

From the premises: e(T 7 i 7 j) = e(U,i,j), r(T) = r(U) 
and c(T) = c(U), we conclude T = U. 

The only restriction is that the variables i,j may not occur 
free in T = U; other than that, T and U can be arbitrary 
matrix terms. Our semantics implies that i and j are implicitly 
universally quantified in the top formula. The rule allows us 
to conclude T = U, provided that T and U have the same 
numbers of rows and columns, and corresponding entries are 
equal. 

Induction rule a(i) — > a(i + 1) implies a(0) — > a(n). 

Here a(i) is any formula, n is any term of type index, and 
a(n) indicates n is substituted for free occurrences of i in 
a(i). (Similarly for a(0).) Note that in LA we only allow 
induction over E^ formulas (no matrix quantifiers), whereas 
in 3LA we allow induction over Ef formulas (a single block 



of bounded existential matrix quantifiers when a is put in 
prenex form). This completes the description of LA. We 
finish this section by observing the substitution property in the 
lemma below. We say that a formula S' of LA is a substitution 
instance of a formula S of LA provided that S' results by 
substituting terms for free variables of S. Of course each term 
must have the same sort as the variable it replaces, and bound 
variables must be renamed as appropriate. 

Lemma 20: Every substitution instance of a theorem of LA 
is a theorem of LA. 

This follows by straightforward induction on LA proofs. 
The base case follows from the fact that every substitution 
instance of an LA axiom is an LA axiom. 
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